Hello Mattias, or anyone else affected, Accepted openldap into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openldap/2.4.42 +dfsg-2ubuntu3.9 in a few hours, and then in the -proposed repository.
Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-xenial. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1557157 Title: apparmor profile denied for saslauthd: /run/saslauthd/mux Status in openldap package in Ubuntu: Fix Released Status in openldap source package in Trusty: Won't Fix Status in openldap source package in Xenial: Fix Committed Status in openldap source package in Bionic: Fix Committed Status in openldap source package in Eoan: Fix Committed Status in openldap source package in Focal: Fix Committed Status in openldap source package in Groovy: Fix Released Bug description: [Impact] When using openldap with sasl authentication, the slapd process will communicate with the saslauthd daemon via a socket in {,/var}/run/saslauthd/mux. Unfortunately, this will fail in every Ubuntu release from trusty onwards, because slapd's apparmor profile doesn't contain the necessary directive to allow it to read/write from/to the socket specified above. The fix is simple: just add the necessary directive to allow slapd to read/write from/to the saslauthd socket. [Test Case] One can reproduce the problem by doing: $ lxc launch ubuntu-daily:groovy openldap-bugbug1557157-groovy $ lxc shell openldap-bugbug1557157-groovy # apt install slapd sasl2-bin ldap-utils apparmor-utils (As the domain name, use "example.com"). # sed -i -e 's/^START=.*/START=yes/' /etc/default/saslauthd # cat > /etc/ldap/sasl2/slapd.conf << __EOF__ mech_list: PLAIN pwcheck_method: saslauthd __EOF__ # adduser openldap sasl # aa-enforce /etc/apparmor.d/usr.sbin.slapd # systemctl restart slapd.service # systemctl restart saslauthd.service # passwd root (You can choose any password here. You will need to type it when running the next command.) # ldapsearch -H ldapi:/// -LLL -b 'dc=example,dc=com' -s base -U root -Y PLAIN The command will fail with something like: ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80) additional info: SASL(-1): generic failure: Password verification failed [Regression Potential] This is an extremely simple and well contained fix, so I don't envision any possible regressions after applying it. It is important noticing that, since the problem affects older Ubuntu releases, the openldap package will have to be rebuilt against possible newer versions of libraries and other depencencies, which, albeit unlikely, may cause issues. [Original Description] When using slapd with saslauthd the processes communicate via the {,/var}/run/saslauthd/mux socket (this is the default location for the saslauthd server from the sasl2-bin package in the /etc/default/saslauthd config), but the apparmor profile for usr.sbin.slapd does not allow access to this socket/file. Syslog message: apparmor="DENIED" operation="connect" profile="/usr/sbin/slapd" name="/run/saslauthd/mux" pid=1880 4 comm="slapd" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 Please add the following line to /etc/apparmor.d/usr.sbin.slapd: /{,var/}run/saslauthd/mux rw, Ubuntu version: Ubuntu 14.04.4 LTS slapd version: 2.4.31-1+nmu2ubu To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1557157/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
